Capture Loss using pcap file

Eva_Seipel · October 7, 2019, 8:11am

Dear all,

when I run Zeek/Bro (Version 2.6.3) against a rather large pcap file of about 8GB (one from the CICIDS2017 dataset) I get values in between 17 and 65% in capture_loss.log. What could be the reason for that? I am pretty new to the topic and couldn’t find anything about that via search. Is it a problem with Zeek like to much data or was the loss already in the pcap and has nothing to do with Zeek?

Thank you.

Vern · October 10, 2019, 8:00pm

Hi Eva,

... Is it a
problem with Zeek like to much data or was the loss already in the pcap and
has nothing to do with Zeek?

The loss was already in the pcap. When running on pcaps, Zeek does not
drop any packets present in the pcap.

Vern

Topic		Replies	Views
Drop payload in trace file Zeek	1	289	March 21, 2023
about Zeek	1	84	May 6, 2022
Capture packet loss discrepancy Zeek	5	251	May 6, 2022
capture_loss vs. pkts_dropped vs. missed_bytes Zeek	2	162	May 6, 2022
Zeek - single huge pcap Zeek	1	146	May 6, 2022

Capture Loss using pcap file

Related topics